When I start the server by hand using you suggested startup, the server
does indeed listen on port 636. But when I modify the default startup
script (included in the Fedora distro) and restart it, it was no longer
listening on port 636. That made me look at the startup in more
detail. The script starts the daemon be calling the daemon function in
the functions script with the full command line as a parameter. If I
start the server directly and not through the daemon function, it works
properly (i.e., listens on port 636 and responds to ldaps:// queries)
whether the startup is -h "ldap:// ldaps://" or -h "ldap:///
ldaps:///". I don't understand it, but it works correctly every time
now. I think I need to look at that daemon function to see what's going
on. Perhaps it's entirely superfluous.
Anyway, thank you much. Your help got me started on finding the
problem. Now I can go and get a real certificate from the CA and move
the server into production.
On 10/30/2006 10:53 PM, Geert Van Muylem wrote:
Try something like this:
/usr/local/libexec/slapd -u ldap -h "ldap:// ldaps://"
On Behalf Of Rob Tanner
Sent: dinsdag 31 oktober 2006 1:39
Subject: OpenLDAP configured for TLS not listenting on port 636
I am just now venturing for the first time into using SSL with
OpenLDAP. The principal problem (or at least the first symptom of the
problem) is that the server is listening only on port 389 and not 636
(according to netstat)
OpenLDAP was built with the '--with-tls' configuration parameter. While
I intend get a regular certificate, for testing purposes I created my
own certificate using CA.pl. I copied the output files to where I want
to keep them and added the additional configuration info to slapd.conf:
When I start OpenLDAP, I'm prompted to enter the PEM pass phrase.
A ps command confirms that the start-up script did the right thing:
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
But ssl connections fail and a netstat command only shows the server
listening on port 389.
Is there something I'm missing at this point merely to get the server
listening on port 636?